x9090's Blog: SWF Exploit Analysis

Sunday, May 24, 2009

SWF Exploit Analysis - Part 1

It has been a while since my last post dated on 4 April 2009. Today I'm gonna to tell about the technical analysis on SWF (Flash Video) exploitation file.

Tools Needed

SWFTools
Disassembler - IDA Pro for static analysis
Debugger - OllyDbg for dynamic analysis
Hackers View (Hiew) for hex view
UltraEdit for generating the shellcode

Overview

The analysis is divided into 2 parts. The first part will explain the decompress the SWF file and extract embedded exploited SWF file. After that it will be followed by how to locate and extract the obfuscated shellcode.

The second part will explain how to deofuscate the shellcode and its payload.

Analysis of SWF

This is the screenshot of the original exploit SWF file to give you an image on how does the file looks like:

It is totally unreadable huh! ;) That is because the SWF file was compressed by looking at the first 3 bytes CWS. We can dump tag by using swfdump.exe from SWFTools:

C:\bin\swftools\swfdump.exe -atpdu flash.$wf > flash.swf.swfdump

Output:

continuation...

Notice that there are a number of pushstring commands, which are the hex code of the exploited SWF files. They will generate the same exploited SWF file. Extract one of the hex string from the pushstring commands into UltraEdit, like this:

Copy and paste the hex string and press a SAPCEBAR (yes, a SPACEBAR!!!) to create a hex code 20. After that press Ctrl + H to switch to hex mode:

Double click 20 and press Ctrl + R to replace the space with hex string:

Click Replace All button and the result would be:

Under Hiew:

It is now more readable right ;)

Now we can use swfdump.exe again to see the tag and we need to find DEFINEBITS section where the shellcode is located:

C:\bin\swftools\swfdump.exe -atpdu exploit_swf > exploit_swf.swfdump

Output:

From the DEFINEBITS section, we can know the starting offset of the shellcode as well as its end offset:

[image continuation]

So we should find offset from aa 02 34 d1 to 11 67 8a 37 using your any hex editors as you like:

continuation:

And the obfuscated shellcode looks like this:

Conclusion

We got the shellcode from the exploited SWF but we still do not know what its payloads. In the next section, I will explain how to deofuscate the shellcode by looking for the "key" in order to deobfuscate it and some common techniques used in shellcode like using PEB to find the kernel32.dll and then looking for the address of LoadLibrary to load the necessary APIs in order to execute its payload.

To be continued...

3 comments:

ByteSurfer said...: Nice one; May 31, 2009 at 2:16 PM
x9090 said...: Thanks!

Second part will be coming soon. Stay tuned.... ;); May 31, 2009 at 4:07 PM
ByteSurfer said...: sure ... i will be waiting ..; May 31, 2009 at 4:17 PM